From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001

From: Stephen Gallagher <sgallagh@redhat.com>

Date: Tue, 27 Nov 2018 13:24:37 -0500

Subject: [PATCH 2/6] Adjust defaults based on system security level

Also permit arbitrary keylengths.

Disallow keylengths smaller than the configured system minimum.

Resolves: rhbz#1653323

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

---

 config.h.in    |  1 -

 include/sscg.h |  1 +

 meson.build    | 10 ++++++--

 src/sscg.c     | 64 ++++++++++++++++++++++++++++++++++++++++++++++----

 4 files changed, 68 insertions(+), 8 deletions(-)

 delete mode 100644 config.h.in

diff --git a/config.h.in b/config.h.in

deleted file mode 100644

index 6044a4355f6c8bfac8d36e533f48f395c597e5ac..0000000000000000000000000000000000000000

--- a/config.h.in

+++ /dev/null

@@ -1 +0,0 @@

-#define PACKAGE_VERSION "@version@"

diff --git a/include/sscg.h b/include/sscg.h

index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644

--- a/include/sscg.h

+++ b/include/sscg.h

@@ -139,6 +139,7 @@ struct sscg_options

   /* Encryption requirements */

   int key_strength;

+  int minimum_key_strength;

   const EVP_MD *hash_fn;

   /* Output Files */

diff --git a/meson.build b/meson.build

index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644

--- a/meson.build

+++ b/meson.build

@@ -34,6 +34,7 @@ endforeach

 pkg = import('pkgconfig')

 crypto = dependency('libcrypto')

+ssl = dependency('libssl')

 path_utils = dependency('path_utils')

 talloc = dependency('talloc')

@@ -49,6 +50,10 @@ else

     popt_incdirs = include_directories('subprojects/popt')

 endif

+has_get_sec_level = cc.has_function(

+    'SSL_CTX_get_security_level',

+    dependencies: [ ssl])

+

 sscg_lib_srcs = [

     'src/authority.c',

     'src/bignum.c',

@@ -70,6 +75,7 @@ sscg_lib = static_library(

     sources : sscg_lib_srcs,

     dependencies : [

         crypto,

+        ssl,

         talloc,

     ],

     install : false,

@@ -135,9 +141,9 @@ init_bignum_test = executable(

 test('init_bignum_test', init_bignum_test)

 cdata = configuration_data()

-cdata.set('version', meson.project_version())

+cdata.set_quoted('PACKAGE_VERSION', meson.project_version())

+cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)

 configure_file(

-    input : 'config.h.in',

     output : 'config.h',

     configuration : cdata)

diff --git a/src/sscg.c b/src/sscg.c

index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644

--- a/src/sscg.c

+++ b/src/sscg.c

@@ -17,6 +17,7 @@

     Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>

 */

+#define _GNU_SOURCE

 #include <popt.h>

 #include <stdlib.h>

 #include <stdio.h>

@@ -25,6 +26,7 @@

 #include <path_utils.h>

 #include <unistd.h>

 #include <openssl/evp.h>

+#include <openssl/ssl.h>

 #include <sys/param.h>

 #include "config.h"

@@ -32,11 +34,59 @@

 #include "include/authority.h"

 #include "include/service.h"

+static int

+get_security_level (void)

+{

+#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL

+  SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());

+  int security_level = SSL_CTX_get_security_level (ssl_ctx);

+  SSL_CTX_free (ssl_ctx);

+  ssl_ctx = NULL;

+  return security_level;

+#else

+  return 0;

+#endif

+}

+

 static int

 set_default_options (struct sscg_options *opts)

 {

+  int security_level = get_security_level ();

+

   opts->lifetime = 3650;

-  opts->key_strength = 2048;

+

+  /* Select the default key strength based on the system security level

+   * See:

+   * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html

+   * for the specification of the minimums.

+   */

+  switch (security_level)

+    {

+    case 0:

+    case 1:

+    case 2:

+      /* Security level 2 and below permits lower key-strengths, but SSCG

+       * will set a minimum of 2048 bits

+       */

+      opts->key_strength = 2048;

+      break;

+

+    case 3: opts->key_strength = 3072; break;

+

+    case 4: opts->key_strength = 7680; break;

+

+    default:

+      /* Unknown security level. Default to the highest we know about */

+      fprintf (stderr,

+               "Unknown system security level %d. Defaulting to highest-known "

+               "level.\n",

+               security_level);

+      /* Fall through */

+

+    case 5: opts->key_strength = 15360; break;

+    }

+

+  opts->minimum_key_strength = opts->key_strength;

   return 0;

 }

@@ -117,6 +167,7 @@ main (int argc, const char **argv)

   size_t i;

   poptContext pc;

   struct sscg_options *options;

+  char *minimum_key_strength_help = NULL;

   char *country = NULL;

   char *state = NULL;

@@ -172,6 +223,9 @@ main (int argc, const char **argv)

   if (ret != EOK)

     goto done;

+  minimum_key_strength_help =

+    talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);

+

   options->verbosity = SSCG_DEFAULT;

   struct poptOption long_options[] = {

     POPT_AUTOHELP{ "quiet",

@@ -293,7 +347,7 @@ main (int argc, const char **argv)

       &options->key_strength,

       0,

       _ ("Strength of the certificate private keys in bits."),

-      _ ("{512,1024,2048,4096}") },

+      minimum_key_strength_help },

     {

       "hash-alg",

       '\0',

@@ -529,11 +583,11 @@ main (int argc, const char **argv)

         }

     }

-  if (options->key_strength != 512 && options->key_strength != 1024 &&

-      options->key_strength != 2048 && options->key_strength != 4096)

+  if (options->key_strength < options->minimum_key_strength)

     {

       fprintf (stderr,

-               "Key strength must be one of {512, 1024, 2048, 4096}.\n");

+               "Key strength must be at least %d bits.\n",

+               options->minimum_key_strength);

       ret = EINVAL;

       goto done;

     }

-- 

2.23.0